Joined August 2023
- Tweets 277
- Following 124
- Followers 241
- Likes 294
18 Photos and videos
My container was PID 1. It was also PID 4231. Both were true at the same time.
That's not magic, it's a translation table.
Linux tracks two IDs for every process inside a namespace: what the container sees, and what the host actually has.
1
1
15
Prove it:
`cat /proc/$(docker inspect --format='{{.State.Pid}}' mycontainer)/status | grep NSpid`
You'll see both numbers.
Not tutorials. Just a real picture.
#Linux #Docker #Containers #BuildInPublic
1
16
Question for engineers who've debugged container issues in production:
What was the problem that finally made you understand something fundamental about how containers work?
Not looking for common answers. Curious about the weird ones.
1
17
There are 7 Linux namespace types. I knew 3 before I started research for Episode 01.
PID/ process tree
NE/ network stack
MN/ filesystem mounts
UT/ hostname
IPC/ inter-process comms
USER/ UID/GID mapping
CGROUP/ cgroup root (Linux 4.6)
1
1
38
The last two are where it gets interesting.
USER namespaces let a process think it's root without being root on the host. Most container escapes target USER.
#Linux #Docker #Security #Containers #OSS
1
17
cgroups v1 had one serious design flaw that took eight years to fix:
Multiple controllers. No coordination. Memory limits and CPU limits were independent; the kernel couldn't enforce both coherently.
A container hitting its memory limit could thrash CPU trying to swap, and....
1
1
57
...the CPU controller had no idea.
cgroups v2: one unified hierarchy. Coordinated resource accounting.
full pic: rootcause.hashnode.dev/why-c…
That's why your container runtime moved.
Not tutorials. Just the real picture.
#Linux #Docker #Containers #DevOps #OSS #opensource
1
20
Genuine question:
When you think about "what is a container," what's your mental model?
Not a definition. The actual image in your head.
1
21
Two years ago I told someone that Docker isolates containers.
I was wrong. Docker doesn't isolate anything.
Linux does. Docker just knows the right syscall.
1
1
16
clone(). Pass CLONE_NEWPID and the process gets its own PID tree. CLONE_NEWNET, its own network stack. Six namespace types. Six walls. Same kernel underneath all of them.
Docker is the interface. The kernel is the implementation.
Sharing what I learn as I go. #BuildInPublic
1
24
Just published: "What is a Linux namespace, really?
All 7, explained."
Most explanations stop at "namespaces provide isolation."
That's the what, not the how.
Link👇
@buildinpublic
2
2
32
This post goes to the how and what each type actually changes, with /proc evidence for each one.
link: rootcause.hashnode.dev/what-…
1
20
Our life is never defined by any one action, it’s sum of our choices
2
29
Seniority starts when you stop waiting for perfect instructions.
2
36
If your contribution is transactional, so is your trust.
3
29
GSoC selection is less about brilliance and more about who maintainers trust to not disappear.
1
24
Most “learning phases” are just fear of committing publicly.
1
20
Most developers don’t need more tutorials.
They need fewer abandoned projects.
1
19
I’ve done GSoC twice.
Good program.
Bad obsession.
Open source isn’t about stipends or selection.
It’s about trust, consistency, and boring work.
I contribute independently and write about OSS without the hype.
1
29